Plugins collecting information and phoning home to a third-party without the user’s consent is a serious issue in the WordPress community. The WordPress plugin repository guidelines are clear on this matter specifically, point number seven and its sub points. Pooria Asteraky has published a post that explains why there needs to be more transparency across the WordPress community as a whole as it relates to ‘trackers‘ being installed on users sites via WordPress plugins.
According to Pooria, trackers are referred to as tracking codes that collect information such as statistics. After installing a WordPress plugin that provided social sharing buttons, he discovered through the use of Ghostery, that there were thirteen trackers installed on the website. Five of which had nothing to do with social networks. The rest of the post goes on to explain why this is not a good thing for the WordPress community and calls on webmasters, plugin authors, and everyone else on the web to be completely transparent regarding the trackers that are being used on their sites.
The Community Does A Good Job Policing Itself
WordPress is open source and so are all of the plugins hosted within the plugin repository. While there are plugin reviewers that voluntarily do their best to make sure nothing malicious ends up in the repository, some plugins slip through the cracks. However, because of the size of the WordPress userbase and how easy it is to look at the plugin’s code, those plugins usually don’t last long in the wild. If you come across a plugin that you think is doing something malicious and it’s on the WordPress plugin repository, contact plugins at wordpress.org. Someone from the review team will take a look at the issue and act accordingly.
Complete Transparency Is A Pipe Dream
Near the end of the post, Pooria outlines the final goal of transparency.
The final goal of transparency is to encourage all WordPress Users ( Webmasters) to publicly announce all the trackers and cookies of their sites to the public ( visitors and viewers of WordPress Sites).
This is a goal that in my opinion, will never be realized. Otto makes a number of points I agree with. I think it’s asking too much for webmasters to list out ad scripts, cookies, trackers, analytics, etc to their website for public display. In fact, it should be assumed that any webpage a user visits will be running some sort of statistic gathering software or leave cookies behind in the browser. This is the nature of the web. It’s not like users don’t have an option to combat these assumptions. There are a myriad of tools available such as browser extensions, desktop software, and privacy settings within the browser.
The Correct Way To Gather Usage Info Within Plugins
If you’re going to track users of your plugin, I highly suggest going about it the same way as Joost de Valk. WordPress SEO developed by Joost de Valk will ask users after they have activated the plugin for the first time whether or not they want to enable tracking.
This is an acceptable method within the WordPress plugin repository guidelines as it’s asking for the users consent.
Be Up Front and Honest With Users
Between the plugin review team and the WordPress community, most users don’t have anything to worry about. It’s not that gathering usage information is bad as it’s a wonderful way to track data to improve software. What’s bad is gathering that information without anyone knowing it’s taking place. As a plugin author, do the right thing. Be up front and honest about gathering usage data. Give users the choice and for those users that enable tracking, don’t give them a reason to lose their trust.
Maybe WordPress core should present users with information that states something to the effect of: WordPress enables Gravatar by default. When Gravatar is enabled, your IP address and a referring URL are sent to third-party servers owned by Automattic, Inc. on every page load. This information could be used to track your browsing activities and interests by Automattic and/or anyone they chose to share the information with. This also applies to everyone that visits your site. When put in context, WordPress runs 20% of the web, so when enabling this service you’re adding to a global tracking network owned by a third party commercial entity whose goals and philosophies may or may not align with yours, now and/or in the future. To disable Gravatar, click here.